‘Flame’ Writers Issue Self-destructing Command for Eliminating the Malware
According to researchers from Symantec the security company, because of the widespread hype around the Flame malicious software and its attacks, the program's creators are understood to have dispatched one command that would self-destruct the malware.
Describing Flame, Symantec states that it contains an in-built component known as SUICIDE utilized for uninstalling the malicious program that contaminates PCs. Nonetheless, during the end-week of May 2012, the authors of Flame took to spreading another kind of self-destructing piece across contaminated PCs, which linked up with servers yet being the author-controlled, the security response group of Symantec disclosed.
Incidentally, the researchers captured the command in question named "urgent suicide," via honeypots as on a normal system the malware would've got eliminated devoid of the user's awareness.
The self-destructing component known as browse32.ocx had its latest edition developed on May 9, 2012, Symantec adds.
Its researchers say that the reason for the Flame's creators overriding the utilization of SUICIDE for the self-destruction in favor of making the malware carry out distinctive tasks via one fresh module is unknown. Symantec.com reported this on June 6, 2012.
Meanwhile, despite similarities between the SUICIDE functionality and the new self-destructing module in their capability for removing numerous files related to Flame, the latter is a stage advanced.
Symantec states that the destroyer of Flame winds its task by deleting certain number of folders as well as files. In fact, over 4 folders and160 files are instructed for eliminating following which the uninstaller component uses random characters to rewrite the computer's hard disk.
Also, the security company observes that the uninstaller ensures that no clue about its presence is left hanging around so as to foil any attempt at seizing the malware.
Furthermore, according to Symantec, the Flame attackers kept under their control the domain registrations they used so they could shift to one fresh hosting service for backing the said domains.
Meanwhile, Costin Raiu, Security Researcher at Kaspersky Labs posted on twitter.com that there was one prominent loophole within the new module, which he didn't know whether anybody else had discovered too. Zdnet.com.au published this dated June 7, 2012.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 18-06-2012